Skip to content

test: e2e for TrafficProtectionPolicy Enforce serving traffic (#243)#245

Merged
ecv merged 2 commits into
mainfrom
test/issue-243-tpp-enforce-e2e
Jul 10, 2026
Merged

test: e2e for TrafficProtectionPolicy Enforce serving traffic (#243)#245
ecv merged 2 commits into
mainfrom
test/issue-243-tpp-enforce-e2e

Conversation

@ecv

@ecv ecv commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

What

Chainsaw e2e regression for #243. Deploys a backend, a Gateway on the WAF datum-downstream-gateway class with an HTTPRoute, and a TrafficProtectionPolicy in Enforce mode, then probes the downstream Envoy over the wire and asserts a benign GET returns 200 — not the empty/5xx reply the unescaped error-page body produces.

Gateway.status.Programmed alone is insufficient: Envoy Gateway reports it from its own translation, independent of Envoy's xDS ACK. So the test asserts on an actual HTTP response.

Precondition

Requires the WAF data plane on the downstream cluster (extension-server + the extensionManager Envoy Gateway registered on the datum-downstream-gateway class + the Coraza filter). Stock make prepare-infra-cluster does not install this; environments without it skip via the unmet Programmed assertion.

Proof (this exact test, same fresh-fleet harness, only the operator image differs)

The fix is in #244.

Refs #243.

Chainsaw regression for #243. Deploys a backend, a Gateway on the WAF
GatewayClass with an HTTPRoute, and a TrafficProtectionPolicy in Enforce
mode, then probes the downstream Envoy over the wire and asserts a benign
GET returns 200 rather than the empty/5xx reply the unescaped error-page
body produces.

Gateway.status.Programmed alone is insufficient — Envoy Gateway reports
it from its own translation, independent of Envoy's xDS ACK — so the test
asserts on an actual HTTP response.

Requires the WAF data plane (extension-server + the extensionManager
Envoy Gateway on the datum-downstream-gateway class); environments without
it skip via the unmet Programmed assertion.

Refs #243

Key changes:
- add test/e2e/trafficprotectionpolicy-enforce/chainsaw-test.yaml
The hostname binding referenced $namespace at spec level, where it is not
yet defined, so chainsaw aborted the test with "variable not defined:
$namespace" before any step ran. Move the binding into the two steps that
use it, where the per-test namespace is in scope.

Verified against the fixed operator image on the local WAF stack: the test
now runs and passes (benign GET returns the backend's 200).
@ecv

ecv commented Jul 10, 2026

Copy link
Copy Markdown
Contributor Author

oh ok, the red test in this is because the fixes arent in this branch. it proves the negative right now. whew

@kevwilliams kevwilliams left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I like this

@ecv ecv marked this pull request as ready for review July 10, 2026 13:45
@ecv ecv merged commit cbaa42c into main Jul 10, 2026
10 of 11 checks passed
@ecv ecv deleted the test/issue-243-tpp-enforce-e2e branch July 10, 2026 13:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants